Understanding GDPR Consent
The General Data Protection Regulation (GDPR), or the Data Protection Bill, will come into force on 25 May 2018. Despite there being less than a year for UK organisations to become compliant, the Information Commissioner’s Office (ICO) has yet to finalise its GDPR consent guidance, which it plans to release in December.
As the specifics surrounding GDPR consent requirements are still subject to change, it can be a challenge to know what proactive measures your organisation can take now.
Nevertheless, it’s expected that the central components of what is currently known about GDPR compliance will remain relatively unchanged when the official guidance is published by the ICO. For that reason, your organisation should review how it obtains customer consent to ensure that it meets the following GDPR requirements:
- Unbundled. Consent requests must be separate from other terms and conditions, and should not be a precondition of signing up for a service.
- Active opt-in. You cannot use pre-ticked opt-in boxes, as they are invalid.
- Granular. Provide options to individuals to consent to different types of processing.
- Named. Provide the name of your organisation and any third parties that will be relying on consent.
- Documented. Keep records that demonstrate what the individual has consented to, what they were told, and when and how they consented.
- Easy to withdraw. Inform individuals that they have the right to withdraw their consent at any time and explain how to do that.
- No imbalance in the relationship. Consent will not be freely given if there is an imbalance in the relationship between the individual and your organisation.
Regardless of the specifics of the ICO’s final consent guidance, your organisation should begin making changes to your consent practices now. For more information on protecting your organisation and ensuring continued compliance, contact MFL today.
DID YOU KNOW?
Had the General Data Protection Regulation (GDPR) been in place during 2016-17, the Information Commissioner’s Office would have collected £69 million in fines rather than £880,000. Fines under the GDPR are steep, with potential fines of up to €20 million (roughly £16 million), or 4 percent of annual turnover—whichever is higher—for violating the basic principles related to data security or for violating consumer consent. Continue reading to learn what steps your organisation needs to take in order to be compliant.